MS Warns of Malware Requires System Reinstall

Microsoft informed of a new kind of rootkit that hides in the boot sector MBR. This new malware makes any windows user have to reinstall the whole system to remove it.

The new Trojan that Microsoft calls Popureb displays advertisements, and modifies the affected user’s Internet Explorer start page. The Trojan works by:

MBR decrypts Trojan:Win32/Popureb.B from the disk sectors and saves it as the following:

  • %windir%\mgr.exe

The saved file will be deleted after execution.

Trojan:Win32/Popureb.B modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: “qQ
With data: “%windir%\mgr.exe

Now the Trojan:Win32/Popureb.E has made some changes in its code as it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed or removed by Antiviruses. The driver component protects the data by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys).

According to Chun Feng : “If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called “fixmbr”.”

Feng has published links to instructions for correcting the MBR on Windows XP, Vista and Se7en But always prevention is better than cure so to prevent from getting infected with the malware, install the latest definition for Microsoft operating system , antivirus and Microsoft Defender.

Share
You can leave a response, or trackback from your own site.